Lennart Poettering CC-BY-SA-3.0

Lennart Poettering CC-BY-SA-3.0

The achievements of and plans for systemd

Extending Integration

Article from ADMIN 67/2022
We talked to systemd maintainer Lennart Poettering about the sense and purpose of some systemd features.

Linux Magazine: If you take stock of the last three or four years, what have been the most important innovations in systemd during this time?

Lennart Poettering: That would be, firstly, all the security features we have added and made visible with the systemd-analyze security tool. Regular system services can now be locked into effective sandboxes with relative ease, but can still be integral parts of the host operating system. I believe this has advanced Linux system security quite a bit.

Another important innovation might be systemd-tmpfiles and systemd---sysusers. Strictly speaking, they are more than four or five years old, but it is only in the last three or four years that they have finally seen more widespread use in the popular distributions. We are looking to move to a declarative description of the system and its components, leaving behind imperative scriptlets in packages and the like. This improves robustness, security, and reproducibility.

The dynamic user strategy makes it possible to allocate system users dynamically when starting system services that are automatically released again when the service terminates. This takes into account that system users are the original mechanism used to implement privilege separation on Unix and Linux. No matter which subsystem you look at, access control based on users is always implemented on Linux. Other concepts – such as SELinux labels, Access Control Lists (ACLs), other Mandatory Access Controls (MACs), and so on – are not universally available and are nowhere near as popular or as universally well understood.

Classically, however, such system users are expensive, with only 1,000 of them (or sometimes only 100 or 500, depending on the distribution), and they are allocated individually during package installation. So traditionally they can only be used roughly to secure

Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus